View Issue Details

IDProjectCategoryView StatusLast Update
0016518CentOS-8firewalldpublic2020-04-16 05:41
Reportermerhardt 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016518: Bug in firewalld/nftables
DescriptionThere seems to be a bug in nftables when using rich rules in firewalld that refer to ipsets with networks in CIDR notation.
This seems to occur only when the "hash:net" ipset contains networks (/24). When creating a "hash:net" ipset with hosts in CIDR notation (/32) everything works as expected.

The rich rule does not work and /var/log/firewalld shows:
2019-10-01 15:40:44 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2019-10-01 15:40:44 ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @example tcp dport 22 ct state new,untracked accept' failed:
2019-10-01 15:40:45 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2019-10-01 15:40:45 ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public
Steps To Reproduce-Firewalld running with default config

firewall-cmd --permanent --new-ipset=example --type=hash:net
firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24
firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family=ipv4 source ipset=example port port=22 protocol=tcp accept'
firewall-cmd --permanent --zone=public --remove-service=ssh

init 6

-Try to access the host via SSH from the Networks within the ipset
Additional InformationCentOS Linux release 8.0.1905 (Core) (Minimal installation using Kickstart)
firewalld-0.6.3-7.el8.noarch
nftables-0.9.0-8.el8.x86_64
Tagsfirewalld, nftables

Activities

lee.jnk

lee.jnk

2020-01-30 01:05

reporter   ~0036157

Temporary Work around till CentOS 8.2

Get a RedHat Developer account.

Install RHEL 8.2 Beta

download srpms

yumdownloader --source nftables
yumdownloader --source libnftnl
yumdownloader --source libmnl
yumdownloader --source firewalld

and build RPMS on RHEL/CentOS 8.1 Machine.

Install the resulting RPMS on CentOS 8.1.

The only issue is you do not get updates in beta �
vladm

vladm

2020-03-03 17:50

reporter   ~0036442

I went through ordeal of rebuilding RPMs from the RHEL 8.2b and that didn't help.
lee.jnk

lee.jnk

2020-03-04 08:59

reporter   ~0036448

I build the src rpms in a CentOS 8.1 VM.
And installed all the resulting rpms except the debug rpms on the target machines.
I am using the fix in 3 different Machines (all VMs) now.
I also had to reboot after the above install.
Anyway if you wait some more, it will be fixed in CentOS 8.1 also soon according to
https://bugzilla.redhat.com/show_bug.cgi?id=1774742#c30
vladm

vladm

2020-03-04 14:47

reporter   ~0036455

@lee.jnk - any speciffic notes for rebuilding the RPMs? The ones I got from RHEL8.2b seems to be the exact same version as currently coming with CENTOS 8.1:

 firewalld-0.7.0-5.el8.src.rpm
 libmnl-1.0.4-6.el8.src.rpm
 libnftnl-1.1.1-4.el8.src.rpm
 nftables-0.9.0-14.el8.src.rpm

I rebuilt those with rpmbuild --rebuild xxx.src.rpm and installed produced RPMs via rpm -Uvh --force xxx.rpm
And, like I mentioned above, I still have nft segfaults when hash:net ipsets defined in firewalld.
vladm

vladm

2020-03-04 14:55

reporter   ~0036456

ok, pls ignore my last comment - somehow I managed to install and pull source RPMs from RHEL8.1 vs RHEL8.2b
lee.jnk

lee.jnk

2020-04-16 01:23

reporter   ~0036699

The fix is available on CentOS repos.
$ dnf upgrade
merhardt

merhardt

2020-04-16 05:41

reporter   ~0036700

I can confirm that the issue is fixed after applying the latest updates from the CentOS repos.

Issue History

Date Modified Username Field Change
2019-10-02 12:56 merhardt New Issue
2019-10-02 12:56 merhardt Tag Attached: firewalld
2020-01-30 01:05 lee.jnk Note Added: 0036157
2020-01-30 04:25 lee.jnk Tag Attached: nftables
2020-03-03 17:50 vladm Note Added: 0036442
2020-03-04 08:59 lee.jnk Note Added: 0036448
2020-03-04 14:47 vladm Note Added: 0036455
2020-03-04 14:55 vladm Note Added: 0036456
2020-04-16 01:23 lee.jnk Note Added: 0036699
2020-04-16 05:41 merhardt Note Added: 0036700